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2127 





- The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MO NTH (S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CPR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1 )M Responsive to communication(s) filed on 25 August 2004 . 
2a)S This action is FINAL. 2b)D This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quay/e, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) I3 Claim(s) 19 and 21-39 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) [x] Claim(s) 19 and 21-39 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10)[3 The drawing(s) filed on 25 August 2004 is/are: a)E3 accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 

Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 
1 1 )□ The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 1 1 9 

12)D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 
a)D All b)D Some * c)D None of: 

1 .□ Certified copies of the priority documents have been received. 

2. D Certified copies of the priority documents have been received in Application No. . 

3. D Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 



1. 



This action is in response to the Amendment on 8/25/04. Applicant's arguments have 



been fully considered but were not found to be persuasive. 



2. 



Claims 19 and 21-39 are pending in the application. 



Claim Rejections - 35 USC § 112 



The following is a quotation of the first paragraph of 35 U.S. C 112: 

The specification shall contain a written description of the invention, and of the manner and process of making 
and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it 
pertains, or with which it is most nearly connected, to make and use the same and shall set forth the best mode 
contemplated by the inventor of carrying out his invention. 

3. Claims 36-39 are rejected under 35 U.S.C. 1 12, first paragraph, as failing to comply with 
the written description requirement. The claim(s) contains subject matter which was not 
described in the specification in such a way as to reasonably convey to one skilled in the relevant 
art that the inventor(s), at the time the application was filed, had possession of the claimed 
invention. Learning only the normal behavior of the application is the subject matter that was 
not described in the specification. Applicant has pointed to page 9, lines 1 1-17 of their 
specification. However, this section as well as the entire specification fails to provide the written 
description for learning only the normal behavior of the application. At best, the specification 
discloses attempting to learn when falling within certain parameters. However, this does not 
indicate normal behavior and the specification does not define the normal behavior to have any 
structural relationship with any certain parameters. In fact, it is not even disclosed in the 
specification the definition of what a relative term like normal is. 
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Claim Rejections - 35 USC §103 
The following is a quotation of 35 U.S. C 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

4. Claims 19, 21-39 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Shieh et al. (hereinafter Shieh) (US 5,278,901) in view of Crosbie et al. (hereinafter Crosbie) 
"Active Defense of a Computer System using Autonomous Agents". 

5. As to claim 19, Shieh teaches an apparatus for ensuring the integrity of an application 
executed on a computer having data storage arranged sectorwise comprising: 

an enforcement device, operative after said period is over, for identifying and preventing 
said application from accessing elements of data storage that do not correspond with the 
normal behavior of said application ("pattern-oriented instruction detection system and 
method that defines patterns of intrusion '\ see Abstract, "intrusion detection system 
see Fig. 2, item 215, col 9, lines 5-6 and 67, "present protection graph 205", col. 9, line 
65, col. 18, lines 50-56, col. 1, lines 17-19)', 
Shieh fails to explicitly teach: 

apparatus for learning about the normal behavior of said application to said data storage 
arranged sectorwise by monitoring accesses of said application to elements of said data 
storage during a limited period; . 
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6. However, Crosbie teaches an intruder detection system that recognizes the intruder, 
learns about the intrusions, and deals with the intrusions when detected ("Intruder recognition", 
"Learning about intrusions ", "Response to an intrusion page 4, right hand column, page 2, 
right hand col, lines 36-39, page 6, left hand col Lines 33-36, righ hand col Lines 8-10). 

7. It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to combine the teachings of Shieh and Crosbie because Crosbie's feature of learning 
about the normal behavior of said application by monitoring accesses of said application to 
elements of said data storage would improve the accuracy of dealing with the intrusion. The 
knowledge learned about intrusions is used in future decisions of responding to an intrusion 
("learn about intrusions and use that knowledge in future decisions", page 4, col 2, 2 nd bullet 
point). 

8. As to claim 21, Crosbie teaches an apparatus wherein said enforcement device is 
operative to prompt a user to give specific permission, upon occurrence of an attempt of the 
program to access files not accessed during said learning period. Crosbie teaches a system which 
recognizes intrusions, learns about the intrusions, and responds/deals with the intrusions that are 
detected and are based by a human operator ("anomalous activity", "human operator", page 6, 
col 2, "Intruder recognition ", "Learning about intrusions "Response to an intrusion ", page 

4, col 2, "observe deviations from normal behaviour" , page 5, col I, "Cooperative 
monitoring", see Abstract). Shieh in view of Crosbie fails to explicitly teach that the verification 
data for each program is stored in a file and that file is accessed for verification. However, 
"Official Notice" is taken that both the concept and advantages of providing that data can be 
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stored in a file is well known and expected in the art. It would have been obvious to one of 
ordinary skill in the art at the time the invention was made to include a file that contained the 
verification data of each program to the existing system for the reason of increasing organization 
of the program by keeping the verification information for a particular program in one area. It 
makes it simpler for the respective program to access the information. 

9. As to claim 23, it is rejected for the same reasons as stated in the rejection of claim 2 1 . 
Furthermore, it is obvious that there is more leniency to access files with user permission 
because there is no leniency without permission. 

10. As to claims 22 and 24, Shieh teaches an apparatus for ensuring the integrity of a 
computer application to be run in association with a computer having data storage arranged 
sectorwise in a storage device, comprising: 

- apparatus for assigning a general enforcement file to each new program ("protection sets 
help define the targets of intrusion detection", col 8, lines 19-20, "audit trails", 
"protection graph", col 8, lines 37-49)\ 

Shieh fails to explicitly teach: 

- apparatus for learning about the program by monitoring the program of said data storage, 
by monitoring the program's attempts to make file accesses during a learning period; 

- an enforcement device operative, after said learning period is over, to treat attempts of the 
program to access files accessed during said learning period more leniently than attempts 
of the program to access files not accessed during said learning period, said enforcement 
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device is based at least on instances of specific permission being given by the user to said 
application to access locations of said data storage, wherein said enforcement device 
treats attempts of said application to access locations of said data storage to which the 
user has permitted to access during said learning period more leniently than attempts of 
the program to access files to which the user did not permit access during said learning 
period. 

1 1 . However, Crosbie teaches a system which recognizes intrusions, learns about the 
intrusions, and responds/deals with the intrusions that are detected and are based by a human 
operator ("anomalous activity ", "human operator ", page 6, col 2, "Intruder recognition " 
"Learning about intrusions", "Response to an intrusion", page 4, col 2, "observe deviations 
from normal behaviour", page 5, col 1, "Cooperative monitoring", see Abstract). Shieh fails to 
explicitly teach that the verification data for each program is stored in a file. However, "Official 
Notice" is taken that both the concept and advantages of providing that data can be stored in a 
file is well known and expected in the art. It would have been obvious to one of ordinary skill in 
the art at the time the invention was made to include a file that contained the verification data of 
each program to the existing system for the reason of increasing organization of the program by 
keeping the verification information for a particular program in one area. It makes it simpler for 
the respective program to access the information. 



12. 



As to claim 25, it is rejected for the same reasons as stated in the rejection of claim 24. 
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13. As to claim 26-28, Crosbie teaches a method further comprising enabling the user of said 
first application to determine said normal behavior during said learning period (see rejection of 
claims 24 and 25). 

14. As to claim 29-34, Shieh in view of Crosbie teaches a method further comprising 
detecting attempts of a daughter or second application of said first application to access elements 
of data storage that do not correspond to said normal behavior as determined by said 
enforcement file and inhibiting said accesses, thereby preventing the damage thereupon. It is 
rejected for the same reasons as stated in the rejection of claims 22 and 24. In addition, Shieh 
teaches detection on two applications ("detection of unintended use of foreign programs and 
detection of virus propagation", col 4, lines 10-23). 

1 5. As to claim 35, it is obvious to have a second application is executed on a second 
computer for the reason of increasing the speed of running the application by not using the 
resources of the first computer to run the second application. 

16. As to claims 36-39, Sheih teaches the learning with respects to claim 19 learns only the 
normal behavior of the application (col 2, lines 34-41, col 8 t lines 19-20). Items stored in the 
protection graph is only of the normal behavior. Once the normal items in the protection graph 
are learned, it is then compared to the items in the set of intrusion patterns. 
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Response to Arguments 

1 7. Applicant argues on page 10 that Shieh teaches only detection of abnormal behavior but 
is totally silent on the prevention and restriction of abnormal behavior. 

In response, the Examiner respectfully disagrees. Shieh teaches not only detection but 

also penetration resistance necessary to prevent illegitimate access (col 1, lines 17-19). In 

addition, Crosbie (the combined reference) teaches responding to an intrusion - once an intrusion 

is detected, how is it dealt with (page 4, lines 21-22). 

18. Applicant argues that the newly added claims 36-39 introduces the limitation regarding 
the computer learns only the normal behavior of the application and that Crosbie fails to teach 
this. 

In response, this limitation is taught in Sheih. Applicant stated that Crosbie doesn't teach 
this limitation but doesn't deny that Sheih teaches this. In the reference of Sheih, items stored in 
the protection graph is only of the normal behavior. Once the normal items in the protection 
graph are learned, it is then compared to the items in the set of intrusion patterns (col. 2, lines 34- 
41 col. 8, lines 19-20). 

Conclusion 

Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
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MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Kenneth Tang whose telephone number is (571) 272-3772. The 
examiner can normally be reached on 8:30AM - 6:00PM, Every other Friday off. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Meng-Ai An can be reached on (571) 272-3756. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 



Kt 

11/17/04 



SUPERVISORY PATENT EXAMINER 

TraSLOSY CENTER 2100 




